psalm/docs/security_analysis/avoiding_false_positives.md

# Avoiding false-positives

When you run Psalm's taint analysis for the first time you may see a bunch of false-positives.

Nobody likes false-positives!

There are a number of ways you can prevent them:

## Escaping tainted input

Some operations remove taints from data – for example, wrapping `$_GET['name']` in an `htmlentities` call prevents cross-site-scripting attacks in that `$_GET` call.

Psalm allows you to remove taints via a `@psalm-taint-escape <taint-type>` annotation:

```php
<?php

function echoVar(string $str) : void {
    /**
     * @psalm-taint-escape html
     */
    $str = str_replace(['<', '>'], '', $str);
    echo $str;
}

echoVar($_GET["text"]);
```

## Conditional escaping tainted input

A slightly modified version of the previous example is using a condition to determine whether the return value
is considered secure. Only in case function argument `$escape` is true, the corresponding annotation
`@psalm-taint-escape` is applied for taint type `html` .

```php
<?php
/**
 * @param string $str
 * @param bool $escape
 * @psalm-taint-escape ($escape is true ? 'html' : null)
 */
function processVar(string $str, bool $escape = true) : string {
    if ($escape) {
      $str = str_replace(['<', '>'], '', $str);
    }
    return $str;
}

echo processVar($_GET['text'], false); // detects tainted HTML
echo processVar($_GET['text'], true); // considered secure
```

## Specializing taints in functions

For functions, methods and classes you can use the `@psalm-taint-specialize` annotation.

```php
<?php

function takesInput(string $s) : string {
    return $s;
}

echo htmlentities(takesInput($_GET["name"]));
echo takesInput("hello"); // Psalm detects tainted HTML here
```

Adding a `@psalm-taint-specialize` annotation solves the problem, by telling Psalm that each invocation of the function should be treated separately.

```php
<?php

/**
 * @psalm-taint-specialize
 */
function takesInput(string $s) : string {
    return $s;
}

echo htmlentities(takesInput($_GET["name"]));
echo takesInput("hello"); // No error
```

A specialized function or method will still track tainted input:

```php
<?php

/**
 * @psalm-taint-specialize
 */
function takesInput(string $s) : string {
    return $s;
}

echo takesInput($_GET["name"]); // Psalm detects tainted input
echo takesInput("hello"); // No error
```

Here we’re telling Psalm that a function’s taintedness is wholly dependent on the input to the function.

If you're familiar with [immutability in Psalm](https://psalm.dev/articles/immutability-and-beyond) then this general idea should be familiar, since a pure function is one where the output is wholly dependent on its input. Unsurprisingly, all functions marked `@psalm-pure` _also_ specialize the taintedness of their output based on input:

```php
<?php

/**
 * @psalm-pure
 */
function takesInput(string $s) : string {
    return $s;
}

echo htmlentities(takesInput($_GET["name"]));
echo takesInput("hello"); // No error
```

## Specializing taints in classes

Just as taints can be specialized in function calls, tainted properties can also be specialized to a given class.

```php
<?php

class User {
    public string $name;

    public function __construct(string $name) {
        $this->name = $name;
    }
}

/**
 * @psalm-taint-specialize
 */
function echoUserName(User $user) {
    echo $user->name; // Error, detected tainted input
}

$user1 = new User("Keith");
$user2 = new User($_GET["name"]);

echoUserName($user1);
```

Adding `@psalm-taint-specialize` to the class fixes the issue.

```php
<?php

/**
 * @psalm-taint-specialize
 */
class User {
    public string $name;

    public function __construct(string $name) {
        $this->name = $name;
    }
}

/**
 * @psalm-taint-specialize
 */
function echoUserName(User $user) {
    echo $user->name; // No error
}

$user1 = new User("Keith");
$user2 = new User($_GET["name"]);

echoUserName($user1);
```

And, because it’s form of purity enforcement, `@psalm-immutable` can also be used:

```php
<?php

/**
 * @psalm-immutable
 */
class User {
    public string $name;

    public function __construct(string $name) {
        $this->name = $name;
    }
}

/**
 * @psalm-taint-specialize
 */
function echoUserName(User $user) {
    echo $user->name; // No error
}

$user1 = new User("Keith");
$user2 = new User($_GET["name"]);

echoUserName($user1);
```

## Avoiding files in taint paths

You can also tell Psalm that you’re not interested in any taint paths that flow through certain files or directories by specifying them in your Psalm config:

```xml
    <taintAnalysis>
        <ignoreFiles>
            <directory name="tests"/>
        </ignoreFiles>
    </taintAnalysis>
```
-												Add taint docs

											
										
										
											2020-06-19 17:56:04 +02:00
+								# Avoiding false-positives
-												Update documentation for taints and global configuration (#5098)

* [DOCS] Extend documentation on global variables configuration

* [DOCS] Synchronize meaning of @psalm-taint-source input with source code

* [DOCS] Add documentation for conditional @psalm-taint-escape

* [DOCS] Add documentation for @psalm-taint-unescape
											
										
										
											2021-01-25 17:04:00 +01:00
+								When you run Psalm's taint analysis for the first time you may see a bunch of false-positives.
-												Add taint docs

											
										
										
											2020-06-19 17:56:04 +02:00
 								Nobody likes false-positives!
 								There are a number of ways you can prevent them:
-												Fix #3610 - add security analysis documeentation

											
										
										
											2020-06-22 06:18:15 +02:00
+								## Escaping tainted input
-												More better docs

											
										
										
											2020-06-19 17:57:34 +02:00
-												Add more docs

											
										
										
											2020-06-19 18:12:28 +02:00
+								Some operations remove taints from data – for example, wrapping `$_GET['name']` in an `htmlentities` call prevents cross-site-scripting attacks in that `$_GET` call.
-												More better docs

											
										
										
											2020-06-19 17:57:34 +02:00
-												Use escape terminology

											
										
										
											2020-06-21 17:43:08 +02:00
+								Psalm allows you to remove taints via a `@psalm-taint-escape <taint-type>` annotation:
-												More better docs

											
										
										
											2020-06-19 17:57:34 +02:00
 								```php
-												Remove taint annotation as it could confuse

											
										
										
											2020-06-22 18:45:41 +02:00
+								<?php
-												More better docs

											
										
										
											2020-06-19 17:57:34 +02:00
 								function echoVar(string $str) : void {
 								    /**
-												Use escape terminology

											
										
										
											2020-06-21 17:43:08 +02:00
+								     * @psalm-taint-escape html
-												More better docs

											
										
										
											2020-06-19 17:57:34 +02:00
+								     */
-												Fix #3610 - add security analysis documeentation

											
										
										
											2020-06-22 06:18:15 +02:00
+								    $str = str_replace(['<', '>'], '', $str);
-												More better docs

											
										
										
											2020-06-19 17:57:34 +02:00
+								    echo $str;
 								}
 								echoVar($_GET["text"]);
 								```
-												Update documentation for taints and global configuration (#5098)

* [DOCS] Extend documentation on global variables configuration

* [DOCS] Synchronize meaning of @psalm-taint-source input with source code

* [DOCS] Add documentation for conditional @psalm-taint-escape

* [DOCS] Add documentation for @psalm-taint-unescape
											
										
										
											2021-01-25 17:04:00 +01:00
+								## Conditional escaping tainted input
 								A slightly modified version of the previous example is using a condition to determine whether the return value
 								is considered secure. Only in case function argument `$escape` is true, the corresponding annotation
 								`@psalm-taint-escape` is applied for taint type `html` .
 								```php
-												[TASK] Update documentation (#5163)

* [TASK] Fix code highlighting in documentation

* [TASK] Document stubs.file.preloadClasses configuration
											
										
										
											2021-02-07 04:04:44 +01:00
+								<?php
-												Update documentation for taints and global configuration (#5098)

* [DOCS] Extend documentation on global variables configuration

* [DOCS] Synchronize meaning of @psalm-taint-source input with source code

* [DOCS] Add documentation for conditional @psalm-taint-escape

* [DOCS] Add documentation for @psalm-taint-unescape
											
										
										
											2021-01-25 17:04:00 +01:00
+								/**
 								 * @param string $str
 								 * @param bool $escape
 								 * @psalm-taint-escape ($escape is true ? 'html' : null)
 								 */
 								function processVar(string $str, bool $escape = true) : string {
 								    if ($escape) {
 								      $str = str_replace(['<', '>'], '', $str);
 								    }
 								    return $str;
 								}
 								echo processVar($_GET['text'], false); // detects tainted HTML
 								echo processVar($_GET['text'], true); // considered secure
 								```
-												Add taint docs

											
										
										
											2020-06-19 17:56:04 +02:00
+								## Specializing taints in functions
 								For functions, methods and classes you can use the `@psalm-taint-specialize` annotation.
 								```php
-												Remove taint annotation as it could confuse

											
										
										
											2020-06-22 18:45:41 +02:00
+								<?php
-												Add taint docs

											
										
										
											2020-06-19 17:56:04 +02:00
 								function takesInput(string $s) : string {
 								    return $s;
 								}
 								echo htmlentities(takesInput($_GET["name"]));
 								echo takesInput("hello"); // Psalm detects tainted HTML here
 								```
 								Adding a `@psalm-taint-specialize` annotation solves the problem, by telling Psalm that each invocation of the function should be treated separately.
 								```php
-												Remove taint annotation as it could confuse

											
										
										
											2020-06-22 18:45:41 +02:00
+								<?php
-												Add taint docs

											
										
										
											2020-06-19 17:56:04 +02:00
 								/**
 								 * @psalm-taint-specialize
 								 */
 								function takesInput(string $s) : string {
 								    return $s;
 								}
 								echo htmlentities(takesInput($_GET["name"]));
 								echo takesInput("hello"); // No error
 								```
 								A specialized function or method will still track tainted input:
 								```php
-												Remove taint annotation as it could confuse

											
										
										
											2020-06-22 18:45:41 +02:00
+								<?php
-												Add taint docs

											
										
										
											2020-06-19 17:56:04 +02:00
 								/**
 								 * @psalm-taint-specialize
 								 */
 								function takesInput(string $s) : string {
 								    return $s;
 								}
 								echo takesInput($_GET["name"]); // Psalm detects tainted input
 								echo takesInput("hello"); // No error
 								```
-												Fix minor typos in docs (#3956)

While I was searching for some code, ran across these.
											
										
										
											2020-08-08 14:09:41 +02:00
+								Here we’re telling Psalm that a function’s taintedness is wholly dependent on the input to the function.
-												Add taint docs

											
										
										
											2020-06-19 17:56:04 +02:00
 								If you're familiar with [immutability in Psalm](https://psalm.dev/articles/immutability-and-beyond) then this general idea should be familiar, since a pure function is one where the output is wholly dependent on its input. Unsurprisingly, all functions marked `@psalm-pure` _also_ specialize the taintedness of their output based on input:
 								```php
-												Remove taint annotation as it could confuse

											
										
										
											2020-06-22 18:45:41 +02:00
+								<?php
-												Add taint docs

											
										
										
											2020-06-19 17:56:04 +02:00
 								/**
 								 * @psalm-pure
 								 */
 								function takesInput(string $s) : string {
 								    return $s;
 								}
 								echo htmlentities(takesInput($_GET["name"]));
 								echo takesInput("hello"); // No error
 								```
 								## Specializing taints in classes
 								Just as taints can be specialized in function calls, tainted properties can also be specialized to a given class.
 								```php
-												Remove taint annotation as it could confuse

											
										
										
											2020-06-22 18:45:41 +02:00
+								<?php
-												Add taint docs

											
										
										
											2020-06-19 17:56:04 +02:00
 								class User {
 								    public string $name;
 								    public function __construct(string $name) {
 								        $this->name = $name;
 								    }
 								}
 								/**
 								 * @psalm-taint-specialize
 								 */
 								function echoUserName(User $user) {
 								    echo $user->name; // Error, detected tainted input
 								}
 								$user1 = new User("Keith");
 								$user2 = new User($_GET["name"]);
 								echoUserName($user1);
 								```
 								Adding `@psalm-taint-specialize` to the class fixes the issue.
 								```php
-												Remove taint annotation as it could confuse

											
										
										
											2020-06-22 18:45:41 +02:00
+								<?php
-												Add taint docs

											
										
										
											2020-06-19 17:56:04 +02:00
 								/**
 								 * @psalm-taint-specialize
 								 */
 								class User {
 								    public string $name;
 								    public function __construct(string $name) {
 								        $this->name = $name;
 								    }
 								}
 								/**
 								 * @psalm-taint-specialize
 								 */
 								function echoUserName(User $user) {
 								    echo $user->name; // No error
 								}
 								$user1 = new User("Keith");
 								$user2 = new User($_GET["name"]);
 								echoUserName($user1);
 								```
 								And, because it’s form of purity enforcement, `@psalm-immutable` can also be used:
 								```php
-												Remove taint annotation as it could confuse

											
										
										
											2020-06-22 18:45:41 +02:00
+								<?php
-												Add taint docs

											
										
										
											2020-06-19 17:56:04 +02:00
 								/**
 								 * @psalm-immutable
 								 */
 								class User {
 								    public string $name;
 								    public function __construct(string $name) {
 								        $this->name = $name;
 								    }
 								}
 								/**
 								 * @psalm-taint-specialize
 								 */
 								function echoUserName(User $user) {
 								    echo $user->name; // No error
 								}
 								$user1 = new User("Keith");
 								$user2 = new User($_GET["name"]);
 								echoUserName($user1);
 								```
 								## Avoiding files in taint paths
 								You can also tell Psalm that you’re not interested in any taint paths that flow through certain files or directories by specifying them in your Psalm config:
 								```xml
 								    <taintAnalysis>
 								        <ignoreFiles>
 								            <directory name="tests"/>
 								        </ignoreFiles>
 								    </taintAnalysis>
 								```